Lines Matching refs:domain
10 # Old domain may exec the file and transition to the new domain.
13 # New domain is entered by executing the file.
15 # New domain can send SIGCHLD to its caller.
36 # file_type_trans(domain, dir_type, file_type)
37 # Allow domain to create a file labeled file_type in a
44 # Allow the domain to add entries to the directory.
46 # Allow the domain to create the file.
52 # file_type_auto_trans(domain, dir_type, file_type)
54 # they are created by domain in directories labeled dir_type.
65 # r_dir_file(domain, type)
66 # Allow the specified domain to read directories, files
74 # tmpfs_domain(domain)
75 # Allow access to a unique type for this domain when creating tmpfs / ashmem files.
110 # Mark the server domain as a PDX server.
114 # Allow the server domain to use the endpoint socket and accept connections on it.
118 # Allow the server domain to apply security context label to the channel socket pair (allow process…
120 # Allow the server domain to create a client channel socket.
123 neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
159 # init_daemon_domain(domain)
160 # Set up a transition from init to the daemon domain
167 # app_domain(domain)
174 neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
183 neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
187 # untrusted_app_domain(domain)
194 # net_domain(domain)
201 # bluetooth_domain(domain)
219 neverallow { hal_$1_server -halserverdomain } domain:process fork;
224 neverallow { hal_$1_server -hal_$1 } domain:process fork;
225 neverallow { hal_$1_client -halclientdomain } domain:process fork;
230 # hal_server_domain(domain, hal_type)
231 # Allow a base set of permissions required for a domain to offer a
235 # type hal_foo_default, domain;
245 # hal_client_domain(domain, hal_type)
246 # Allow a base set of permissions required for a domain to be a
269 # passthrough_hal_client_domain(domain, hal_type)
270 # Allow a base set of permissions required for a domain to be a
307 # Allows source domain to set the
318 # Allows source domain to read the
335 # binder_use(domain)
336 # Allow domain to use Binder IPC.
345 # all domains in domain.te.
349 # hwbinder_use(domain)
350 # Allow domain to use HwBinder IPC.
361 # all domains in domain.te.
365 # vndbinder_use(domain)
366 # Allow domain to use Binder IPC.
382 # Call the server domain and optionally transfer references to it.
391 # binder_service(domain)
392 # Mark a domain as being a Binder service domain.
399 # wakelock_use(domain)
400 # Allow domain to manage wake locks
418 # selinux_check_access(domain)
419 # Allow domain to check SELinux permissions via selinuxfs.
428 # selinux_check_context(domain)
429 # Allow domain to check SELinux contexts via selinuxfs.
437 # create_pty(domain)
438 # Allow domain to create and use a pty, isolated from any other domain ptys.
440 # Each domain gets a unique devpts type.
452 # allowed to everyone via domain.te.
551 # write_logd(domain)
560 # read_logd(domain)
569 # read_runtime_log_tags(domain)
576 # control_logd(domain)
586 # use_keystore(domain)
600 # use_drmservice(domain)
610 # add_service(domain, service)
611 # Ability for domain to add a service to service_manager
616 neverallow { domain -$1 } $2:service_manager add;
620 # add_hwservice(domain, service)
621 # Ability for domain to add a service to hwservice_manager
627 neverallow { domain -$1 } $2:hwservice_manager add;
632 # Ability for domain to get a service to hwservice_manager
642 neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
647 # can_profile_heap(domain)
648 # Allow processes within the domain to have their heap profiled by heapprofd.
653 # allowing profiling for a domain only on debug builds, without granting
675 # can_profile_heap_userdebug_or_eng(domain)
676 # Allow processes within the domain to have their heap profiled by heapprofd on
705 # never_profile_heap(domain)